Amendment to the Claims : 

The following listing of claims replaces all previous versions and listings of claims: 

1 . (currently amended) An improved method of maintaining privacy for transactions 
employing a user device having a security module, wherein the improvement comprises the steps 
of: 

receiving at a pri vacy certification authority computer a first set of signature values from 
the user device, the first set of signature values being generated by the user device using a first set 
of values obtained from an issuer to indicate that attestation was obtained from the issuer; 

issuing a second set of values by the privacy certification authority computer to the user 
device, the second set of values based on a common value with the first set of signature values as 
an authority token; 

receiving at a verification computer-a thefost set of signature values generated by the user 
device using-a the_first set of values obtained from-an the issuer; 

receiving at the verification computer a second set of signature values generated by the 
user device using-a the_second set of values obtained frora-e the privacy certification authority 
computer; 

checking-^ bvthe verification computer the validity of the first set of signature values 
with a public key of the issuer; 

checking-rrt byjhe verification computer the validity of the second set of signature values 
with a public key of the privacy certification authority computer;-aftd 

verifying a proof-at byjhe verification computer that the first and second sets of signature 
values are based on the first and second sets of values that are obtained from-a the common value. 
where the common value -thai is unique to the user device; 

using a same base value by the privacy certification authority computer for a period of time 
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such that the privacy certification authority computer determines validity of the security module based 
on a frequency with which the security module has requested certification: and 

issuing the second set of values by the privacy certification authority computer is 
performed in response to determining the validity of the security module 

wherein the privacy c e rtification authority computer us e s a same base valu e for a 
s uffici e ntly long period of time s uch that the privacy c e rtification authority computer can 
determ in e a frequency with wh ich the security m odule h a s request ed ce rt ifi ca tio n, the reby 
atio wing th e priva cy ce rtification auth ority compute r to id entify wheth e r th e s e curity m odule is a 
rogue security module . 

2. (previously presented) The improved method according to claim 1, wherein the 
step of verifying comprises the step of: 

verifying that a first value is derived from a base value included in the first set of -signature 
values, is identical with a second value that is obtained from the base value, and is included in the 
second set of signature values. 

3. (canceled) 

4. (previously presented) The improved method according to claim 2, wherein the 
base value is different each time the method is applied. 

5. (currently amended) The improved method according to claim 1, wherein the 
common value is obtained from an endorsement key that is related allocated to the security 
modul e from the public key of the issuer . 

6-20. (canceled) 

21. (previously presented) The improved method of claim 1 , wherein the common 
value is not forwarded to the security module in the user device. 

22. (previously presented) The improved method of claim 1, wherein the privacy 

certification authority computer does not learn any useful information about the common value. 
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23. (previously presented) The improved method of claim 1 , wherein the user device 
can use the second set of values only once and only with a given verifier. 

24. (currently amended) A computer program product tangibly embodying computer 
readable instructions which when executed by an entity comprising a verification computer and a 
privacy certification authority computer causes the entity the comput e r to implement the steps of 
the improv e d m e thod o f cl a i m 1 

receiving at the privacy certification authority computer a first set of signature values from 
a user device having a security module, the first set of signature values being generated by the 
user device using a first set of values obtained from an issuer to indicate that attestation was 
obtained from the issuer; 

issuing a second set of values by the privacy certification authority computer to the user 
device, the second set of values based on a common value with the first set of signature values as 
an authority token; 

receiving at the verification computer the first set of signature values generated by the user 
device using the first set of values obtained from the issuer; 

recei ving at the verification computer a second set of signature values generated by the 
user de vice using the second set of values obtained from the privacy certification authority 
computer; 

checking bv the verification computer the validity of the first set of signamre values with a 
public key of the issuer; 

check ing by t he verification computer the validity of the second set of signature values 
with a public key of the privacy cert ification authority computer; 

verifying a proof by the verification computer that the first and second sets of signature 
values are based on the first and second sets of values that are obtained from the common value, 
where the common value is unique to the user device; 
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using a same base value by the privacy certification authority computer for a period of time 
such that the privacy certification authority computer determines validity of the security module based 
on a frequency with which the security module has requested certification: and 

issuing the second set of values by the privacy certification authority computer is 
performed in response to determining the validity of the security module . 
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